View more on these topics

Peter Hamilton: Who is liable for online banking scams?

Internet fraud is on the rise, with thousands of ordinary people falling victim to scams. But who pays in the end?

4 Pump Court barrister Peter Hamilton Life has become less secure in the last few years. Not only do we have to deal with what seems to be a much higher risk of terrorist outrages but the cyber world has also become less safe. Take, for example, the recent major systems and computer failures affecting banks, British Airways and the National Health Service.

There is also the problem of internet-based fraud, with many thousands of ordinary people falling victim to scams.

One common scam involves bank customers being duped into making transfers to the fraudster’s account. In the typical case, the fraudster disappears with the money immediately.

Once the customer realises what has happened, the money has gone and the bank refuses to accept responsibility because it says it was simply obeying the customer’s instruction to pay.

On closer examination, however, there are good legal reasons for saying the banks should be held responsible. In any event, they should improve the way in which they process instructions to make payments via their online banking systems. This would drastically reduce the number of successful frauds.

A case study

Here is an example of such a scam. A customer needs to make a large payment to his builder. The genuine builder sends the customer an invoice by email for, say, £25,000. He also sends the customer the details of his bank account. Before he is able to pay, a fraudster sends the customer an email, apparently from the builder, saying he has had to change his banking details for a number of reasons, and gives the customer the details of a different account.

As is often the case, in this example, the bank has both accounts – the customer’s and the fraudster’s.

The usual bank’s online form requires the customer to provide the following information about the payee:

  • The name of the payee
  • The name of the payee’s bank
  • Its sort code
  • The account number.

In good faith, the customer completes an instruction to pay the money to the genuine builder by name but giving the fraudster’s account number and sort code.

When the bank receives the customer’s instruction to pay, it transfers the £25,000 to the fraudster’s account. The latter then withdraws the money and disappears.

On discovering what has happened, the customer claims the money from the bank. But the bank says it paid the correct account identified only by its number and sort code. It did not check the name of the account holder. Banking practice in the UK and EU does not require it to do so. Thus the bank denies liability for the loss.

Almost certainly, the customer was unaware of the limited checking process undertaken by the bank. Of all the information he supplied to the bank, the one piece he regarded as important was the name of the genuine builder. Why was it not checked?

The bank has to act in accordance with the Payment Services Regulations. These require the bank to comply with its customer’s instructions to pay to the account which has been unambiguously identified in the payment instruction.

The banking system has been designed so  the combination of sort code and account number relates to only one account. Hence the practice of only checking the account number and sort code.

In this case, however, the name of the account or the name of the account holder would have been different from the genuine account and its holder. There is thus an inconsistency in the information provided by the customer and, if the bank had checked the name, it would have discovered that. In that situation, as a minimum, the bank should have referred back to the customer. If it had done so, the fraud would have been revealed and foiled.

It seems a small thing for the bank to do – to check the consistency of all the information it has asked for and which has been supplied to it by its customer.

The Payment Systems Regulator, which has the duty of enforcing the regulations, should act to make all banks carry out proper checks to ensure consistency in all the information at the bank’s disposal. Relying just on the account number and sort code is not good enough, particularly because this kind of fraud is now so common.

The bank is also under a positive common law duty to protect its customer from fraud. In this case, the bank had information which should have put it on enquiry as to whether the correct account to be credited was the genuine builder’s or the fraudster’s. The bank should have checked. If it had done so, the fraud would have been prevented. The bank was therefore liable.

Peter Hamilton is a barrister specialising in financial services at 4 Pump Court and co-founder of 



Bank of England warns of Brexit costs to asset managers

The Bank of England’s latest financial stability report has warned on the costs of asset management, alongside banking and insurance, rising following the UK’s exit from the EU. The report says: “If asset management were to fragment between the United Kingdom and Europe, material economies of scale and scope that are currently achieved by pooling of funds […]

Andrew Tully: TVAS rules are not fit for purpose

The dramatic rise in final salary transfers is the most significant trend the world of pensions has seen over the last year. Many people are attracted by the high transfer values currently on offer, as well as the flexibility, control and superior death benefits available. However, some may overlook or not fully understand the longevity […]

Aberdeen Gilbert Martin Gilbert 700x450

Aberdeen’s Gilbert defends co-CEO role ahead of Standard Life merger

Aberdeen Asset Management chief executive Martin Gilbert has defended the co-chief executive arrangements planned following the company’s merger with Standard Life, arguing both jobs will be on the line if it doesn’t work out. Gilbert argues his own strengths lie in distribution and strategy while Keith Skeoch’s skill set lies on asset management itself, CNBC reports. “We get […]

AFH Alan Hudson 700

AFH sees profits boost as it eyes future deals

Consolidator AFH has seen profits increase by a third over the last six months as it holds talks with a number of firms over future acquisitions. AFH has posted a pre-tax profit of £1.2m for the six months to 30 April, an increase of 34 per cent from £860,000 at the same time last year. […]

UK gilts: Shaken and stirred

Mike Riddell, fixed income portfolio manager at Allianz Global Investors, reviews the performance of the UK government bonds market post-Brexit and assesses its future prospects, as well as giving his outlook for global fixed income markets and yields movements. In addition, he provides a brief analysis of the impact of Brexit and the Bank of […]


News and expert analysis straight to your inbox

Sign up


There are 11 comments at the moment, we would love to hear your opinion too.

  1. Steve Osbiston 3rd July 2017 at 3:11 pm

    I always feel the bank must know its customer just like IFA’s have to. This includes Money Laundering checks. If these aren’t done correctly then surely the bank must be liable for opening an account for fraudsters.

    It does seem difficult to pass these tests with many institutions now so why does the problem persist.

    If the bank allows an account to operate for a fraudster then they must be deemed party to the crime.

    FCA put the burden on the account opening bank.

  2. “When the bank receives the customer’s instruction to pay, it transfers the £25,000 to the fraudster’s account. The latter then withdraws the money and disappears.”

    This raises a few questions that regulators and banks (and their new trade body) should address as a matter of urgency.

    Firstly, how was the fraudster able to open the account in the first place (assuming it was a fake identity, if not then easily traced).

    Secondly, how quickly was the fraudulent account closed down? Experience suggests not very quickly meaning the account is open long enough to be used for several scams.

    Thirdly, how easy is it for members of the public and other financial services companies to report fraudulent accounts? Again, experience as the latter suggests it’s neither quick nor simple which means it’s nigh on impossible for the former.

    There are some quick wins available here. But big wheels turn very slowly it would seem…

  3. Matthew Pachent 3rd July 2017 at 3:28 pm

    Surely the point of the sort code and account number are the replacement for the name – why not go back to just using the name, then the banks can check the billions of “Peter Smith” accounts and make sure it goes to the right one? Can’t see why that would be a problem, don’t think we need sort codes or account numbers at all.

  4. Julian Stevens 4th July 2017 at 10:05 am

    Pay by cheque and give it to the intended recipient in person. I’d never settle an invoice for a substantial sum of money electronically.

  5. The article is identitical to the situation I find myself in at the moment.

    I e-mailed an invoice to my customer, the invoice was re submitted to my customer within a couple of hours using my name and the fraudsters account details.

    My customer transfered
    £12,000 into the fraudulent account.

    He says he’s paid and thats were i find myself.

    Forgive my ignorance but is Peter Hamilton saying the bank was liable.

    Any help or advise would be grately apreciated.

    • Hello, I am in exactly the same situation. My customer says the bank will update him within 30days.. Two months later I am still chasing with the customer to see if money has been recovered.. I am at a financial loss.. But customer doesn’t seem bothered as as far as he is concerned payment has been made.. However I have never received the payment as customer paid the hacker. Action Fraud have done nothing. The bank won’t talk to me because the money did not leave my account and now it seems my customer is just hoping I forget and move on currently waiting on advice from trading standards.. Had to go through the CAB but still have had no call back.. Would appreciate some advice
      Thank you

  6. Kelly,

    I was wondering if you have made any progress on your case.
    My situation is identical to yours. After 5 months and several requests for updates from action fraud, I have yet to be contacted.
    If anyone else is experiencing this type of fraud and can offer any advise It would be appreciated.

  7. My client is in the same position as Kelly Wheeler’s customer, and Steve Owens’ (and no doubt thousands of others).
    “Know your customer” checks performed by the banks are clearly inadequate – hence the number of recent news items warning students not to be recruited as a “money mule” by organised criminals.
    The duty of care point in Peter Hamilton’s last paragraph is an excellent one. Email hacking and identity theft are occurring on an industrial scale. In this environment, a bank which does not do basic security checks such as matching account names to incoming payments, is leaving the door wide open to fraud and is thus failing in the duty of care that it owes to all of its customers to ensure adequate safety of their financial transactions.
    The Tidal Energy case [Tidal Energy Ltd v Bank of Scotland Plc [2014] EWCA Civ 1107 (31 July 2014)] is a dismal decision which the banks cite to shirk their duty of care, leaving their customers vulnerable to organised crime. It was a split decision in the Court of Appeal. Leave to appeal to the Supreme Court was granted, but surprise, surprise the Bank of Scotland settled out of court. The case was brought in the wake of a fraud, but the banks’ duty of care did not appear to be examined the judgement. Instead it turned upon the technical details of CHAPS payments. So perhaps its effects are not as broad ranging as the banks like to make out…
    If Peter Hamilton’s article and the responses to it help him to bring a class action against the banks to overturn Tidal Energy, or get the FCA to lean on the banks to reform their shabby and dangerous practices concerning money transfers, then I say more power to his elbow.

  8. My husband and i are in this situation we have paid our builder £8000 ,or so we thought as the email has been intercepted and we have paid the money to a fraudster.Our builder says its our e-mail that is hacked, but he sent us the email? who’s right?

  9. This is clearly a problem that the banks are not addressing despite boasting of every transaction being “subject to our usual fraud checks” When asked to explain what these checks are they decline as being confidential!
    Unfortunately when I tried to consult with the author Peter Hamilton I was told by his clerk “Peter sends his apologies that he cannot recall the case law and, as he has now retired from the Bar, has discarded of his papers.
    Sorry that we cannot be of any further assistance.”
    Very disappointing!!

Leave a comment